PCI DSS: What's the cost of doing nothing?


11 Apr 2018

Most of us hate petty rules and red tape, and if there's no penalty for non-compliance we tend to turn a blind eye. But is PCI DSS something that merchants can ignore or does neglect come at a devastating price?

There are many risky things in life that people sometimes 'get away with'. At the less serious end, there's cutting your own hair or attempting plumbing by following YouTube videos. At the deep end, there's going sailing without a lifejacket or a communications system.

For merchants taking card payments, where does compliance with the Payment Card Industry Data Security Standard (PCI DSS) stand on the risk spectrum?

PCI DSS relates to how you process, store or transmit cardholder data. It's especially relevant if you take payments over the phone, web, mobile app or chat channels.

But is PCI DSS compliance an optional extra for merchants or a must-have? And if you decide to skip it altogether, what are the potential implications if things go wrong?

To get to the truth, it's important to bust three myths and look at the real costs behind them.

Myth #1: PCI DSS compliance is not a legal requirement, so it doesn't matter to us
It's true, PCI DSS itself isn't enshrined in law, but it is required by the card schemes such as Visa, MasterCard or American Express. As the name suggests, the standard belongs to the Payment Card Industry Security Standards Council (the PCI SSC) and it provides a baseline of technical and operational requirements designed to protect cardholder data. It's for merchants to follow if they want to take card payments, and for the card schemes to enforce.

The cost of doing nothing: If you suffer a data breach, then the card schemes (through your bank) could fine you and restrict your ability to take card payments. Could you cope with the costs? Could you afford to run your business without accepting cards?

Myth #2: Criminals will never target us
Maybe you think you don't take enough payments for any hackers or rogue staff to be interested in stealing your customers' card data? This is a seductive argument but reality tells a different story. One well-known department store with only a handful of outlets fell victim recently. An employee stole 22 card numbers and made over $400,000 worth of fraudulent purchases. Put simply, if you handle cardholder data at all, you could be targeted. The cost of doing nothing: As well as penalties from the card schemes, the law can get involved if customers are impacted. Fines can run into many thousands for small companies, and millions for larger merchants. There's also the damage to your reputation and customer confidence.

Myth #3: We've got anti-virus and we patch our software, so we're safe
Well done, that's one area shielded. But it's not enough.Once cardholder data enters your environment and systems, it will attract criminals. They'll hunt for weak links in your contact center, recording systems, devices, paper document handling, network connections and more. Everything must be kept watertight. As software security tightens, criminals attack weaknesses such as people and telephone systems.

The cost of doing nothing: PCI DSS compliance isn't a back-office issue or an IT tick-box exercise ... it's a business essential. Customers expect you to keep their sensitive data safe and they're increasingly aware of the issue. A recent survey found that consumers would be more likely to stop using a retailer (54%) than a bank (51%) if they were to suffer an online breach(1). A data breach will harm your reputation and customer loyalty. Plus, most countries impose legal requirements to protect customer data.

Crunching the numbers
The cost of doing nothing about PCI DSS can be eye-watering if you experience a data breach. Fines, restrictions on taking card payments, lost business and a damaged brand reputation could follow. Don't be surprised if it threatens jobs too.

By doing nothing about PCI DSS compliance, individuals aren't just taking a risk with their own careers or money - they could be affecting the livelihoods of colleagues, customers, investors and other stakeholders.

As US Deputy Attorney General Paul McNulty famously once said when talking about corporate compliance:

'If you think compliance is expensive, try non-compliance.'

Looking for a pain-free path to PCI DSS compliance?

Download your free copy of our definitive guide to PCI DSS. You'll discover everything you wanted to know about secure payments but were too afraid to ask.

If you're not convinced by PCI DSS compliance then read our jargon-free guide which explains the rise in CNP crime in contact centers, where you're vulnerable and what you can do to combat the threat.

Sources: (1): Gemalto 2016 Data Breaches and Customer Loyalty Report;